Malicious Apps Could Use Phone Sensor Data to Figure Out PIN

Those who are security-conscious usually add some sort of PIN number to their phones the second they get the device and are done going through the settings. This, however, may not be enough.

According to a paper published by a group of researchers from Singapore’s Nanyang Technological University, malicious apps can gather enough sensor data to eventually guess the user’s PIN. The issue seems to stem from the fact that most apps can access a phone’s sensors without needing specific permission to do so. According to the researchers, the problem affects both Android and iOS users.

Of course, this wouldn’t be possible without having a malicious app installed on the device. This means that, as always, you have to be extremely careful about the apps that you allow on your phone, even if they come from the official app stores.

Researchers created an Android app that they installed on a testing device, which collected data from the accelerometer, gyroscope, magnetometer, proximity sensor, barometer, and ambient light sensor. The algorithm they put together analyzed all the data and was able to distinguish between how users pressed on various keys by taking into account the phone’s tilt, for instance, as well as the nearby ambient light to judge how the user moved his finger over the touchscreen.

While this may seem like some Sherlock-level deduction, it’s not that difficult to put together. It’s also quite efficient. The experiment took into consideration only 500 random PIN-entry operations from three candidates. The results are staggering: a 99.5% accuracy on the first try by using PINs from a list of the 50 most common PIN numbers.

The feeble PIN

With more data, the algorithm can become even more accurate, and it could even crack longer passwords. Regardless of how easy or difficult the PIN you use is, the problem remains that the operating systems allow apps access to sensor data without restrictions or permissions. The flaw can easily be exploited by criminals who want easy access to a phone’s data.

Furthermore, this isn’t the first time we’ve heard about sensor data being abused and the flaw being exposed, although it’s likely the first time we’ve seen such a high success rate in guessing the PIN code.

The fact of the matter remains that our smartphones are pocket computers that carry around tons of private data that we would love to keep private. From encrypted texts, to our browser history, to access to our Facebook and email accounts. These are all our very own cyber secrets, and they’re worth a lot to each of us, whether we admit it or not.